Ubuntu Patches ‘Severe’ Security Flaw in CUPS

If you’ve cast a half-glazed eye over Linux social media feeds at some point in the past few days you may have caught wind that a huge Linux security flaw was about to be disclosed.

And today it was: a remote code execution flaw affecting the CUPS printing stack used in most major desktop Linux distributions (including Ubuntu, and also Chrome OS).

With a severity score of 9.9 it’s right at the edge of the most severe vulnerabilities possible.

The CUPS Security Vulnerability

Canonical explains in its security blog: “At its core, the vulnerability is exploited by tricking CUPS into generating an attacker-controlled PPD (PostScript Printer Description) file for a printer containing an arbitrary command.”

“Whenever the next print job is sent to the printer in question, the command will be executed as the lp user (this is the user that the CUPS daemon runs as and, barring other exploitable vulnerabilities, would not have escalated privileges).”

Many headline-grabbing security vulnerabilities often affect specific hardware or configurations, or require a ne’er-do-well to have physical access to your machine to work.

You might think, “No worries! No one will trick a printing service on my computer into doing things without I don’t know about.”

But Simone Margaritelli, who uncovered the flaw and had to battle to get it taken as seriously as he felt it was, explains in a detailed write up on his blog that this can be done silently, remotely, and without authentication.

On the internet “a remote attacker sends an UDP packet to port 631. No authentication whatsoever,” or on a LAN, “spoofs zeroconf / mDNS / DNS-SD advertisements”.

Red Hat breaks down the chain step-by-step:

1. The cups-browsed service is manually enabled or started
2. Attacker has access to a vulnerable server, which:
   1. Allows unrestricted access, such as the public internet, or
   2. Gains access to an internal network where local connections are trusted
3. Attacker advertises a malicious IPP server, thereby provisioning a malicious printer
4. A potential victim attempts to print from the malicious device
5. Attacker executes arbitrary code on victim’s machine

Shockingly, this vulnerability must have existed for years.

Stop Print! Don’t Panic!

So far, so scary – but there is some good news:

1. If you use a firewall or NAT router that blocks the port affected, you were likely never vulnerable to this
2. Canonical’s security team has issued critical security updates for the affected packages. These updates are rolling out to all supported Ubuntu releases today.

Look out for updates to cups-browsed, cups-filters, libcupsfilters and libppd as the fixes patch four flaws and a few bugs across those affected package.

The aforelinked coverage is worth reading for more background, but also context.

While Canonical’s coverage is reassuring, Margaritelli highlights the difficulty in getting those responsible for the affected packages to initially acknowledge the problem.

On CUPS he concludes: “I’ve seen and attacked enough of this codebase to remove any CUPS service, binary and library from any of my systems and never again use a UNIX system to print. I’m also removing every zeroconf / avahi / bonjour listener.”

No doubt lots of other knowledge folks are offering technical breakdowns and analysis on social media so so if you’re super-keen to learn more …I would say search for the term ‘CUPS’ but I was using the internet in 2006, so …Do not do that.

Anyway, go and install the security patches Canonical has pushed out (if you have unattended upgrades enabled they will probably be installed already), then give your machine reboot to ensure everything clicks in to place properly.

Next time I send something to print from Ubuntu I may just double-check my system processes once the job is done…